Impact of EU General Data Protection Regulation on marketing in financial services

Hand-out on the seminar held at Cass Business School, London

Tuesday 27 January 2015

This hand-out has been produced with the kind assistance of Fieldfisher LLP . The law stated is correct as of this date. This does not constitute legal advice and it is highly recommended to seek professional legal advice when in any doubt about understanding your rights and obligations in order to comply with the law and regulations that impact marketing. Further information is available at www.marketors.org

Photography of the seminar by David Graeme-Baker

Financial Services Forum/Worshipful Company of Marketors 2

Speakers biographies

Ardi Kolah FCIM LL.M is co-author of Data Protection and Privacy: A practical guide to complying with the EU General Data Protection Regulation and The Data Protection Officer’s Handbook: Your guide to the skills and knowledge required under the EU General Data Protection Regulation to be published by Kogan Page in early 2016. He’s Chairman of the Law & Marketing Committee, Worshipful Company of Marketors and co-director of EU Compliance and Recruitment that trades under the Community Mark Go DPO.

Hazel Grant is partner and head of privacy and information law at Fieldfisher LLP and has over 20 years’ experience advising clients on data protection issues. Her specialist area of interest is data compliance, international data transfers, data audits and data retention projects. Her work also covers responding to data security breaches, notification of data losses to the regulator and negotiations on remediation work and compensation. She advises organisations on information access requests (whether for personal information or government held information) and handle complaints to the regulator and appeals to the tribunal.

Chris Wood is head of business compliance in the UK for HSBC and has over 15 years’ experience of working in the financial services sector. A qualified accountant by background Chris has worked in many different industries including textiles, heavy engineering and printing. Chris also worked for 5 years as a lecturer in Leeds. For the last 15 years he has worked in the FS sector where he’s had a number of roles including Head of Unit Pricing, Head of Regulatory Policy and Director of Re and Op risk (which included being the MLRO) at Aviva. In March 2014 Chris joined HSBC as the Head of Business Compliance for the UK. This includes responsibilities around data privacy.

Financial Services Forum/Worshipful Company of Marketors 3

Speakers biographies

Jenny Moseley is director and co-founder of Opt-4. She followed the European legislation affecting direct marketing in her role as Assistant Vice President and European Circulation Director of the National Geographic Society. She was Vice President of the Federation of European Direct and Digital Marketing (FEDMA) for five years and was heavily involved in the lobbying for self-regulation in direct marketing at a European level. She is a Fellow of the Institute of Direct and Digital Marketing and is a former Chairman of the DMA UK.

Martin Hickley is a data governance, protection and privacy specialist with 25 years’ of experience mediating with regulators (FCA, ICO, DVLA and Dep Ed) in the world of data and information, working in blue chip companies where data is the raison d'être of the organisation. Experienced in data management, data governance, privacy, risk, compliance and security he takes a global and enterprise view of how data should be fashioned to meet all known current and future business objectives within the evolving regulatory framework. Martin is a Fellow of the British Computer Society.

David Cowan is managing director of the Financial Services Forum. He brings a wealth of experience in senior media management roles and was previously Group Publisher for Centaur Media with responsibility across print, online and awards in the Financial Division. Prior to that he worked for the FT Group, Express Newspapers and Mirror Group Newspapers. He’s responsible for The Forum’s business strategy, member services and relationships with key commercial partners and sponsors, as well as management of The Forum team.

Financial Services Forum/Worshipful Company of Marketors 4

Personal message from Sir Paul Judge Alderman of the City of London

“I wanted to get a message to all of you about how important it is that the City keeps on top of the changes that are taking place in the way we collect, store, transfer and use data. It’s vitally important that everyone is fully prepared for the biggest shake-up in data protection and privacy for a decade and taking steps now to safeguard business continuity will ensure that your firms will continue to grow and prosper.”

Financial Services Forum/Worshipful Company of Marketors 5

The journey to EU General Data Protection Regulation (GDPR)

To date these drafts have had more amendments than any previous body of EU regulation and given the priority to gain consent on this landmark regulation by EC President Jean-Claude Juncker, many believe that the GDPR will be agreed by all parties by the middle of 2015. Although differences remain, the feeling among the panel was that the financial services sector can’t adopt a ‘wait and see’ approach in the vain hope it will go away. It won’t. Data protection and the security of data is perhaps the biggest issue facing the sector from a business continuity perspective as to get this badly wrong opens the door to punitive fines of up to five percent of global turnover or €100m.

The journey of the GDPR to the present day has been a long and at times controversial one. In January 2012, the European Commission (EC) issued a proposal for a European-wide data protection reform. In March 2014, an amended proposal was approved by the European Parliament – in effect creating two drafts of the same Regulation (the Commission draft and the Parliament draft) with significant differences between them. Now we have a review of the proposals by the Council of Ministers who have declared that nothing is agreed until everything is agreed.

(L-R) Martin Hickley, Hazel Grant, Ardi Kolah, Jenny Moseley and Chris Wood

To underlie the vulnerability that large organisations have to becoming a victim of a data breach on grand scale, just 30 minutes before the seminar begun, both Facebook and Instagram were hacked by Lizard Squad, resulting in a ‘denial of service attack’ – denied by Facebook. Either way, 1.6bn users of the social network couldn’t access their accounts for over half an hour. Lizard Squad and other hackers like them represent a continuing threat to the data that financial services firms hold on servers that can be infiltrated by those who are determined to carry out such attacks.

Lizard Squad was also behind attacks on Sony and other major organisations

Financial Services Forum/Worshipful Company of Marketors 6

Under the new GDPR, data protection authorities (DPAs) will ‘hold hands’ and in doing so provide a so-called one-stop shop for complainants of financial services firms irrespective where the issue took place within the EU.

Change in existing EU data protection laws

The GDPR will effectively replace the former Data Protection Directive 95/46/EC as well as make the existing Data Protection Act 1998 redundant by bringing in a European-wide approach to data protection and security that moves away from the patchwork approach that exists at present. It also places data processors and data controllers with equal legal responsibilities with respect to the transfer and use of data. A proposed ‘data protection seal’

will notify consumers that the financial services firm complies with the supervisory authority and can transfer data to third parties on a lawful basis in the hope that consumers will be reassured about the higher standards of data protection that such a firm complies with. The obligation to report breaches – however small – will be the responsibility of the Data Protection Officer (DPO) who will work independently within a large financial services organisation and the reporting of such breaches is likely to be done within 24 hours.

Hazel Grant, partner and head of privacy and information law at Fieldfisher LLP

Financial Services Forum/Worshipful Company of Marketors 7

EU Ordinary Legislative Procedures

• Initial consultation

• Institutional feedback

• Agrees text

• Committee appointed (LIBE)

• Various reports commissioned

• Amendments to Commission version

• 1st reading: agrees text in full Parliament vote

Council of the European Union

• Working party appointed (DAPIX) • Series of meetings reviewing text • 1st reading: agrees Parliament text

or proposes amendments

• “Trilogue” formed from all three institutions

• Text goes back to Parliament for a 2nd reading and, if necessary, back to Council for a 2nd reading

• If Council rejects the Parliament’s amendments, a Conciliation Committee is set up. If can’t agree joint text here, dropped

• Text agreed this is sent to Parliament for a 3rd reading and then to Council

Adopted

Rejected

Financial Services Forum/Worshipful Company of Marketors 8

The panel also commented on the problem of the slippage in the timetable to introduce the GDPR. The lack of clarity makes it hard for firms to plan and prioritise what is important and it’s easier to do this once things are nailed down. Jenny Moseley added there was also concern that good data controllers were being punished as they were more likely to report breaches. On the other hand she thought the GDPR would give more clarity to marketing activities within the financial services sector and that this was in the best interest of its customers.

Chris Wood, head of business compliance in the UK for HSBC says GDPR should be approved ASAP

Timetable for GDPR

Summary of main changes made by GDPR within EU law

Main change Description

Territorial scope Extended to organisations outside of EU processing data related to EU citizens (includes offering services or monitoring)

One stop shop Replaces ‘lead authority’

Supply chain Controllers and Processors and ‘Data Protection Seal’

Increased fines Up to 5% global turnover/€100m

Data breach reporting Without undue delay

Data Protection Officers Appointed where data processed >5,000 records

Privacy Impact Assessments At least annually (and consultation with DPA/supervisory authority)

Consent Must be freely given and obtained for a specific purpose

Security broadened More than ‘technical and organisational measures’

Personal data Includes cookies and IP addresses

More transparency Icon-based privacy notices

Pseudonymous and encrypted data Still personal data but subject to less stringent requirements

International transfers Adequacy criteria is amended by GDPR

Financial Services Forum/Worshipful Company of Marketors 9

The issue of customer consent was also widely discussed at the seminar and it’s clear that banks such as HSBC are re-wiring their approach from the position of protecting the customer as the paramount principle in how they manage their business. Financial services firms must obtain consent and this must be freely given for a specific purpose rather than for some blanket purpose. There is still some argument between lawyers as to whether implied consent is a dead duck – and some lawyers feel that implied consent in certain circumstances will still be lawful under the GDPR.

Over 100 delegates attended the seminar at Cass Business School, London

Major causes of a data breach

Human error accounts for the biggest cause of data breaches in financial services

According to Martin Hickley, a major cause for a data breach can be identified as human error and clearly the issue of education and training will be core to the way in which this risk within financial services can be reduced. However, there was a recognition, particularly with junior staff, that such a risk could never be 100% eradicated, leaving open the possibility of fines and sanctions as a real possibility under the GDPR.

Typical human error includes the failure to encrypt data, a lack of privacy policies and even mis-directed communications, whether post, fax or email. Chris Wood told the story of one incident where the sender had accidentally clicked ‘Reply all’ that had sent the private email beneath the message to be read by over 55m other people before the matter was brought under control. And of course by then it was too late and a significant data breach had occurred.

Issue of Customer Consent

Financial Services Forum/Worshipful Company of Marketors 10

Most common grounds for taking enforcement action for data breach

• Human error

• Failure to encrypt

• Lack of policies

• Lack of staff training

• Misdirected communications (fax, email, post, hand delivery)

• Reliance on electronic systems

• Paper records

• Accidental loss / theft

• Breaching direct marketing rules

• Bad asset control (decommissioning of hardware)

Most common grounds for mitigation for data breach

• Self-reported to Data Protection Authority (DPA) • Good post-incident behaviours:

o Detailed investigations after breach o Remedial action o Cooperated fully with DPA

• Most organisations that were fined are good data controllers!

Negative media coverage can damage brand value

As well as fines, DPAs like to ‘name and shame’ those firms that have fallen below the standards expected of them and the reputation damage to the brand in such cases could easily outstrip the financial penalties imposed, according to Hazel Grant. For example, the French authorities recently forced Google to publish details on non-compliance on its home page for 48 hours. Google complained but lost its case in the courts.

Financial Services Forum/Worshipful Company of Marketors 11

Jenny Moseley made the point that the Financial Conduct Authority’s Conduct of Business Source book (COBS) that governs marketing within the financial services sector will need to be revised in light of the GDPR. For example, terms and conditions in contracts will need to be fair, clear and not misleading and an audit done by her firm on the websites of many of the delegates attending the seminar showed massive failings in this area. The language in privacy policies can no longer read like gobbledygook and must be clear for those who are intended to read it, particularly with regard to asking for their consent. And the gap between how the rules apply to B2C and B2B will narrow as to become invisible altogether.

Top 10 Tips for marketing professionals in financial services

1. Write down a set of data protection policies and procedures and ensure that these are compliant with the GDPR. Such policies and procedures should include what actions need to happen in the event of a data breach.

2. Consider what breaches might do harm to customers/clients and pay particular attention to mitigating these risks. The most serious are either financial fraud or identity fraud, so sales and marketing professionals should pay particular attention to passport details and other personal information stored on their servers.

3. All financial services firms need to invest in education and training all employees involved in collection and processing of data with a view to reducing the risk of human error and as far as possible try and automate as many processes as possible in order to reduce the risk of human error.

4. All financial services firms need to set very clear, fair and transparent rules for obtaining customer consent.

5. All financial services firms shouldn’t keep data forever – unless of course it’s to ensure that they don’t contact someone who has expressly said that they don’t want to be contacted in the future and not having such information could lead to them being contacted again by accident.

Financial Services Forum/Worshipful Company of Marketors 12

6. All financial services firms should have a policy for destroying out-of-date data.

7. All financial services firms need to recognise the risk of consumer activism where one aggrieved customer can very quickly galvanise a mass campaign against the brand on Twitter and social network sites.

8. Sales and marketing professionals need to integrate data protection fully into all business processes and not treat this as an add-on or side issue.

9. Marketers should consider the GDPR as a marketing opportunity and potentially a source of competitive advantage by performing data processing tasks more efficiently and accurately.

10. Customers should be treated as a source of business rather than a piece of data and need to be treated fairly, with respect to their rights to privacy and without cynicism.

Both the Financial Services Forum and the Worshipful Company of Marketors hold events throughout the year that support marketers in their learning and development

Continuing professional development

Financial Services Forum/Worshipful Company of Marketors

About the Financial Services Forum

In 2000, a handful of senior financial services executives met informally, to share ideas and knowledge with their industry peers. They talked about the business, their business and how all concerned could benefit significantly by optimising their individual and corporate marketing effectiveness.

So began The Financial Services Forum, as a meeting of like-minded professionals, talking amongst themselves, about their business issues, without the distractions and pressures of agencies, vendors or consultants. Their aim was to improve their understanding of the consumer, the marketplace and their own marketing performance. That small group has grown by about 50 members each year to the current 550 members. We will continue to grow - but carefully and very selectively, as membership is less about numbers and more about inviting the right people at the right time. Thus membership is strictly by invitation only and exclusively extended to dedicated financial services practitioners with a contribution to make and a voice that should be heard. Whilst the majority of our membership is comprised of Marketing Directors, the Forum has also been successful in attracting CEOs, Directors of Strategy, Product, Finance, Operations and HR, all connected through their interest in marketing effectiveness.

The story continues

Surviving and thriving in an industry sector that never stands still, and which is becoming ever more competitive, demands perpetual focus and 20/20 vision. The Financial Services Forum exists to provide that very focus, and the critical insight, which allows our Members to concentrate on improving performance by putting marketing effectiveness first.

What makes The Financial Services Forum’s agenda both relevant and beneficial to our Members is the fact that it is totally independent and sector-specific, and is created by the Members (under the guidance of the Advisory Board) and for the Members. It involves the right people, addressing the right topics – both current wisdom and future trends – through an eclectic mix of conferences, workshops and other events. Further, the Forum seeks both to recognise and to reward success through the respected annual ‘Awards for Marketing Effectiveness’ – the only awards dedicated to financial services marketing effectiveness.

Membership of The Financial Services Forum not only deals in accepted wisdom, but also gives decision-makers the opportunity to be exposed to current thinking, on-going activities and future trends – in short, nothing but the full picture.

Further information: www.thefsforum.co.uk/

13

Financial Services Forum/Worshipful Company of Marketors

About the Worshipful Company of Marketors

The Worshipful Company of Marketors is a City Livery Company whose members are on the way to achieving or having achieved mastery and excellence within the marketing profession. We draw inspiration from the ancient but enduring values of the “Rules of Life” for freeman of the City of London.

Our values:

• Integrity: both personal and in business

• Excellence: the highest standards in Marketing and Company activities

• Others as well as self: as in Marketing, we put the customer first, so as Marketors we pay attention to the needs and well-being of others

• Long-term perspective: honouring the past, celebrating the present, cultivating the future.

Our Aims:

• Actively support the Mayoralty and the City of London Corporation

• Promote marketing education and the benefits of the profession of marketing to those in the City, the Livery and beyond

• Giving back both financially and in-kind, and making a contribution to the development of marketing

• Bringing in and retaining Members, fostering fellowship and planning and arranging succession.

Law & Marketing Committee

There’s been a seismic change in the marketing legal landscape that’s transformed the way we work, irrespective of whether this is in the public or private sector. The EU has effectively rewritten the law on privacy, human rights, data protection and marketing across the web and mobile networks. And more changes that are critical to modern marketing management are in the pipeline. Keeping up-to-date on all these changes can be difficult and very time-consuming. The Law and Marketing Committee help to steer Company Members through the legal minefield of key EU and UK laws.

In addition, the Law and Marketing Committee also examines whether the marketing profession is upholding the ‘spirit’ of what the law intended by embracing ethics, principles of fairness, respect for the individual and upholding the highest standards of professional conduct expected in our profession and will play a leading role within the City of London in influencing that important debate.

Further information: http://marketors.org/

Financial Services Forum/Worshipful Company of Marketors 14